| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d2465376-4b3e-7d3d-86d2-0cd8d7543520@gmail.com>
Date: Tue, 3 Jul 2018 21:07:07 +0900
From: Akihiro TSUKADA <tskd08@...il.com>
To: Colin Ian King <colin.king@...onical.com>,
Mauro Carvalho Chehab <mchehab+samsung@...nel.org>,
linux-media@...r.kernel.org, Antti Palosaari <crope@....fi>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: media: dvb-usb-v2/gl861: ensure USB message buffers DMA'able
Hi,
thanks for the report.
> 47 buf = NULL;
>
> Condition rlen > 0, taking false branch.
>
> 48 if (rlen > 0) {
> 49 buf = kmalloc(rlen, GFP_KERNEL);
> 50 if (!buf)
> 51 return -ENOMEM;
> 52 }
>
> 53 usleep_range(1000, 2000); /* avoid I2C errors */
> 54
> CID 1470241 (#1 of 1): Explicit null dereferenced (FORWARD_NULL).
> var_deref_model: Passing null pointer buf to usb_control_msg, which
> dereferences it.
>
> 55 ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
> req, type,
> 56 value, index, buf, rlen, 2000);
>
>
> The assignment of buf = NULL means a null buffer is passed down the usb
> control message stack until it eventually gets dereferenced. This only
> occurs when rlen <= 0. I was unsure how to fix this for the case when
> rlen <= 0, so I am flagging this up as an issue that needs fixing.
>
Since rlen is an u16, null pointer is passed only when rlen == 0,
so I think it is not a problem,
but I am OK to add a guard in order to make scan result clean.
regards,
Akihiro
Powered by blists - more mailing lists